We knew this was coming. We’ve known for years that a ransomware attack on the scale of WannaCry was not just possible, but probable. What we didn’t know was that when it came it would involve a vulnerability discovered by the NSA, an exploit developed by the NSA, and a backdoor written by the NSA.
But that’s where we are in 2017.
We’re dealing with a ransomware worm, possibly unleashed by a foreign government, that uses exploit code lifted from a tool dump stolen from the NSA. Allegedly. It’s a weird, hall-of-mirrors kind of story, and it’s looking more and more like a harbinger of things to come as we move deeper into the era of cyber espionage. WannaCry is very, very bad. It’s the most effective ransomware campaign we’ve seen to date. And it’s probably not over yet. There’s likely another variant or two in the works that don’t include the kill switch domains that researchers have used to limit its spread this week and that will cause a fresh wave of infections.
But the worst thing about WannaCry is that it’s not the worst. When we look back on this era in a few years, WannaCry may not even make the top 10 list of ransomware outbreaks. Attacks always get better, not worse, and ransomware is no exception. The first ransomware variants that emerged were primitive, inefficient, and largely ineffective. But in the space of a couple of years, we’ve arrived at a place where we have self-replicating ransomware worms using 2048-bit AES encryption and spreading via exploit code developed by an intelligence agency.
Things are bad, but there’s plenty of room for them to get worse. Attackers tend to learn from their mistakes, and you can bet that other ransomware groups and attack teams are watching the WannaCry campaign very closely, looking for errors and things they can improve upon. The kill switch domains would be high on that list. It’s like the scene in Hunt for Red October when the defecting Soviet submarine commander turns toward an oncoming torpedo, knowing that if he closes the distance quickly enough, the torpedo won’t have time to arm. The tactic works, but he tells his crew that it won’t work a second time.
“Right now, the Soviet Captain, a man named Tupolev is removing the safety features on all his weapons. He won’t make the same mistake twice,” Sean Connery’s Captain Ramius says.
The WannaCry attackers are unlikely to make the same mistake again, either. Likewise, other ransomware groups. Expect the coming weeks, months, and years to bring more efficient and effective ransomware worms created by groups that have watched the WannaCry campaign play out and learned from it. WannaCry is the first ransomware worm we’ve seen that uses exploit code, and there’s every reason to think that there will be others that follow its example. Users will continue to be bad at patching and combining that with freely available vulnerability information and exploits makes for an ugly ransomware future.
Image: Kuster and Wildhaber Photography, CC by-nd license.